December 2008 - Posts

A council employee has lost a USB memory stick that contained sensitive information. The employer, Neath Port Talbot council in south Wales, has launched an investigation and is declining to comment on the case until it is concluded. It seems to me that if disk encryption software like AlertBoot was used to secure the data on that flash drive, perhaps the council may not be so silent on the issue?

No doubt that one of the reasons the council is keeping mum is because the situation is sensitive. Not only do they have a data breach on their hands (never mind that a serious breach seems to occur every other week in the UK; the public hasn't been desensitized yet and keeps screaming for blood. Good for them, I say), it turns out that the data concerns children. As parodied often in The Simpsons, people seem to lose their heads when children are involved. (Won't somebody please think of the children? -- Mrs. Lovejoy)

Except in this case, according to an anonymous source who works as a foster carer, the children are "end-of-the-line kids." I thought that meant terminally-ill children until I read the following comment:

"If the people around here knew about their backgrounds I would probably get a brick through the window…In some cases, if this information got out, it could put them at risk."

I take it to mean that these are troubled youths, possibly with a rap sheet, and are at the end of the line. A pretty grim situation, if that's where you find yourself as a kid.

All the more reason, it seems, that the council should have made a better effort (yes, I'm assuming there was no encryption, although it's quite apparent the council has another set of reasons for keeping quiet) to secure the data. After all, if the council is making an effort to protect these children, and keeping their, erm, "status" secret was important, it just makes sense that any devices containing their information be protected as well. I see it as an extension to what they've been doing to date.

The council should, while conducting this investigation, also look into encrypting their digital files, be it on laptops, memory sticks, or portable USB disk drives. (Personally, I'd suggest they encrypt their desktop computers as well. The odds are low that a desktop will go missing, but the data breach coming from such an event has as much, or perhaps more, of an impact as losing a USB flash drive).

The sooner they start, the sooner they can minimize the risk of a data breach. No guarantees that stuff won't be missing, though. Memory stick encryption software can only guarantee the security of data.

There is something to be said about the convenience of full hard drive encryption software like AlertBoot, as opposed to the use of file encryption software. Granted, both are excellent ways of protecting sensitive data. However, one is more foolproof than the other. (I'm referring to hard drive encryption, of course.)

Also known as full disk encryption (or whole disk encryption), hard drive encryption does exactly what its name implies: it encrypts the contents of an entire hard drive. However, the wording here is very important because it implies something that hard drive encryption doesn't do.

Hard Drive Encryption Encrypts Data But Not Your Files

If an unencrypted hard drive resembles a box where you can place sensitive documents, an encrypted hard drive is like a safe with locks. I find this analogy to be very helpful in explaining how full disk encryption does not encrypt your files.

Remember, encryption is the process of scrambling data. This means that, if files are encrypted, that file undergoes a change (the scrambling process). If you copy that encrypted file to a USB memory stick or send it via e-mail, the file will remain scrambled.

However, this is not so with hard drive encryption. That is, the file will remain encrypted as long as it stays within that hard drive, but if the file is taken off the drive, then the file not be encrypted anymore.

And that's why the locked safe box analogy works to illustrate the point. Placing a document in a safe doesn't materially change the document itself. The protection is afforded by the safe. Take the document out of the safe and it faces a significantly higher risk of its contents being read like normal, regular files.

Minimize the Risk of Not Encrypting Sensitive Files

And yet I noted at the top of the page that hard drive encryption is foolproof. How? you may be asking.

The answer has to do with the way computers create temporary files, and the availability of excellent search software.Temporary files are created whenever you work on a digital document. You probably can't see them, since the settings for the latest versions of Windows are automatically set to "do not show," but opening a Microsoft Word file and just typing one letter will create a temporary file, a file with a name that ends in ".tmp."

These are created left and right as significant changes are made to the original document, and usually carry the same information as the actual file. Temporary files do not overwrite themselves, so plenty of these are created over a given hour. These files are supposed to delete themselves once you close the original…but it doesn't always work that way.

This means you may potentially have hundreds, maybe thousands, of temporary files on your computer. Whether the information in those files are sensitive, nobody knows. In the past, it would have meant having to open every single one of them in order to find out, and this afforded a form of protection known as "practical obscurity:" It's annoying to open thousands of files knowing that there may be nothing of interest there, so most people don't even bother.

Today, however, there is plenty of (cheap) software out there that will do the search for you. For example, software that peers into files to see if 9-digit numbers can be found, potentially numbers that represent SSNs. Credit cards are usually 16 digits, longer if they happen to be American Express. The software can account for dashes, spaces, etc. Finding sensitive information has become a piece of cake.

Who's going to take the time to encrypt temporary files? No one, and this could be a potential data breach source. If you encrypt entire hard drives, though, this won't be a problem. You do need to remind yourself to encrypt any files getting off of that drive, though.

Performance Hits? Not Applicable for Most People

If I may go on a tangent, I was a supporter of the seti@home project when it started gaining momentum, back in 1998. The seti@home project is a distributed computer processing project that analyzes space signals from the Arecibo observatory (They're looking for E.T. No, for real; they are).

I wouldn't have done it, though, if my computer were to experience a performance hit. But that was never an issue because I mostly used my computer for typing reports and running small spreadsheets. Even if I were to type 300 words a minute, the computer was probably doing the equivalent of twiddling its thumbs a million times between my keystrokes.

Likewise, performance hits coming from full disk encryption are minimal at best for the average computer user. Computer performance used to be an issue in the past (like 10 years ago) because the hard drive continuously encrypts data as you're creating and modifying documents. But with modern computer hardware, you shouldn't notice performance hits unless you make it a point to track that stuff.

All in all, hard drive encryption represents an excellent way of safeguarding your electronic data.

"Hard drive encryption" (aka, full disk encryption) describes a case where the entire hard drive is encrypted. It must be noted, full disk encryption does not actually encrypt your files. Rather, the hard disk--and as a result, anything that is stored on that hard disk--is encrypted.

It sounds like the same thing, doesn't it? After all, encrypted is encrypted, right?

However, there's a critical difference: if you copy the files off the external hard disk to another device--like to another external hard drive, another computer, or burn it to a CD, or send it via e-mail--your data will not show up as encrypted. That's because the file has been released from the confines of the protected (encrypted) hard drive.

So, let me emphasize the point once more: under hard disk encryption, it's not the actual files that are encrypted; it is the external hard disk itself that is encrypted, and as a result, the files on that encrypted hard disk are protected as well.

"File encryption," on the other hand, does exactly what its name implies: the file itself is encrypted. So copy, burn, and e-mail away: your information will be protected not matter what.

So why do people even bother with hard disk encryption? There are pros and cons to everything, and hard disk encryption is no different. Some of the pros are:

Anything that’s saved to the external drive is automatically encrypted.

No need to wonder (or worry) if you forgot to encrypt a file, if you lose the external drive (see above bullet point).

No need to worry about temporary files or cached files, which are created automatically whenever you work on a document. Sometimes they're deleted after closing the document, sometimes they're not. (More importantly, it's nearly impossible to encrypt temporary files one by one. Keeping a Word document open for 10 minutes, for example, creates at least 10 temporary files alone.)

If the hard disk is being used as a data backup repository, you know you're set in terms of data security.

Easier auditing. Since anything on the computer is encrypted automatically, all you have to prove is that the computer was encrypted prior to being stolen.

The cons?

The situation I described above about copying files to somewhere else.

There’s an initial period where you must encrypt your drive. This process could take a couple of hours to half a day depending on your computer's specs (RAM, CPU, drive capacity, etc.) and the encryption algorithm being used. However, companies like AlertBoot offer encryption solutions where the encryption process runs in the background and is barely noticeable (a "transparent" process), so it doesn't have as much of an impact as it would have 5 years ago.

Overall, disk encryption offers the same protection as file encryption with less hassles. The frustrations you gain when copying files off the disk are neutralized by not having to worry about temporary and cached files--a real concern, since there are cheap (even free) products out there that will peer into such files for data mining purposes (Google desktop being one of them), a concern if you ever lose an external hard disk drive or a laptop computer.

It's being reported by The Telegraph that the British government has lost over 2800 computers since 2002, or about a computer a day, on average. The losses break down to 1774 laptops and 1035 desktops. Furthermore, 202 hard drives and 195 memory sticks also went missing. I'd generally say that full disk encryption solutions like AlertBoot would have stemmed any data security breaches…but in this case, I'm not so sure.

Full Disk Encryption Is Not A Substitute For Brains

When roughly half of your computer losses--and, consequently, data losses--stem from the loss of desktop computers, you've got serious issues. I mean, I can understand the loss of laptops. It hasn't happened to me, yet, but the chances that it will happen to me sometime during my lifetime are pretty high, especially since desktops seem to be going the way of dinosaurs. (You can't lose something that's not gonna be there anymore, right?) People tend to forget stuff when they're carrying them around, not to mention it drastically increases the odds of it being stolen.

But how do you lose a desktop? Those are pretty hard to lose. They're not impossible to lose, so I can accept desktops being part of the equation. But half of all losses?

Since most people don't carry around desktop computers--it's slightly inconvenient--I would imagine most of these losses stem from three things: 1) Theft by outsiders (break-ins), 2) Theft by insiders, and 3) Misplacement (stuck in a closet somewhere, eventually followed by either #1 or #2 above). Regardless, this shows a clear lack of security. I mean, stuff disappears from your office, and nothing is done?

In my experience, data encryption doesn't work with such cavalier attitudes: those who are apt to close store for the night with doors and windows unlocked are also the types to keep their passwords stuck to keyboards and monitors. Hard drive encryption software may cure a lot of ills, but only when used correctly--not that it takes a lot of brains to figure that one out.

Oxymorons: Pretty Ugly. Idiot Savant. Military Intelligence

Of all government branches, the Ministry of Defence had the most losses, with over 1000 lost laptops and 164 missing desktops.

First, I'd like to remark that those odds are more like it. (Question: who the heck's lost so many desktops that it brought up the total ratio to almost 60/40?)

Second, I'd like to say that that this "normal" ratio doesn't excuse the Ministry of Defence. They're in the business of safety, as it were, and should be a beacon for how data security should be done. If the military, the ultimate organization that requires coded information to ensure success--WWII, Bletchley Park, and the Engima machine come to mind--cannot secure data, well, who can? I can't imagine anyone with greater incentive for protecting sensitive data.

On the other hand, my criticism may be unwarranted since I do not know what percentage of computers they represent. For example, losing 1000 laptops is a huge deal, but one's criticism would increase or decrease in vitriol depending on the total number of computers the ministry has: do they have 50,000 computers or 2000 computers? The former means a rate of loss of 2% over 7 years; the latter means a loss rate of 50%, which would probably indicate criminality, not incompetence.

Looking for the best disk encryption software? Your definition of "best" may differ from mine, but I'd look for:

A centrally managed encryption program that can encrypt your hard drives (external as well as in desktops and laptops).

It should also offer file encryption, for encrypting individual files, and USB port security.

Because it's centrally managed, it means your encryption keys are managed and backed up for you--an important add-on that cannot be ignored: Lose your encryption keys and no one, including yourself, will be able to access the encrypted data. So, back ups are extremely important.

Also offered should be 24/7 password recovery, on-line and via phone.

Powerful reports for auditing and keeping track of computers' encryption status should also be available.

The above features are found in AlertBoot endpoint security systems, while other encryption suites may offer the same or a combination of these. Regardless of who you choose to go with, the following are some points to take into consideration when choosing an encryption program to fit your needs:

When it comes to security, people want the best. Naturally, people will want to have the best encryption software when it comes to data security software products as well. While many are looking into using laptop encryption, the truth is that encryption makes sense regardless of the type of computer you use (desktops, servers, UPMCs, netbooks, etc.) if you’re constantly working with sensitive information.

If you’re looking for the best encryption software, chances are that you’re looking for the one brand that will ensure that hackers won’t be able to get to the sensitive data you’ve been entrusted with. But the truth is there is no one brand -- just like you can’t claim a Ferrari is better than a Maserati, or vice versa: Once you get to the top, opinions diverge on what is the best; however, you know that a Ferrari is better than a Ford Pinto, and so it is for encryption products. So the question is not so much “what is the best encryption software” as “which are the better encryption software packages out there?”

Best Encryption Software - A Couple Of Considerations

The security afforded by encryption software comes from two things: the encryption algorithm (or formula) and the encryption key

First of all, you’ll want some type of product that uses widely-accepted encryption algorithms. It turns out that it’s incredibly difficult to encrypt data in a secure manner. Many encryption algorithms have been proposed over the years, and most have been found to have flaws in them, making a data breach a (short) matter of time. However, some encryption methods have resisted all sorts of attacks to eventually become standards in the cryptographic community. Two of these algorithms, already incorporated and used in AlertBoot encryption suites, are RSA and AES.

You’ll want to make sure the company you go with are using these, or other widely approved, algorithms to power their encryption software. Beware of any encryption products that use in-house developed encryption algorithms. Chances are these haven’t been attacked (or as the professionals say, vetted) as thoroughly as the two mentioned above -- in fact, they’re still being attacked to test their efficacy -- so one day you may find out that your data is compromised despite employing what your vendor calls an encryption package.

The second thing to consider is the encryption key length. An encryption key is, basically speaking, a string of random characters that may include letters, numbers, and special characters. The security of any encryption product ultimately comes from the key length, assuming the algorithm is rock-solid, like the two mentioned above. The longer the key length, the more secure the encryption is going to be.

Modern computers, due to their processing speed and power, are able to render certain key lengths useless via a technique known as “brute force attacks,” where the attacker tries to guess what the key is.

For example, in the past, Microsoft Word gave you the option of encrypting documents, for free. Due to restrictions regarding the export of encryption software, though, long keys were not allowed, crippling the encryption’s efficacy. There are many copies of Word out there that use a 40-bit key. Such protection can be defeated in 48 hours or less (there are plenty of companies that will brute force their way in, at a price…guaranteed).

This problem is easily circumvented by using longer keys. For example, on-line banking uses 128-bit keys, and even longer keys are available as well. Make sure the encryption software you go with offers at least 128-bit keys. That's the minimum you should ask for in this day and age.

[Note: The true representation of these key lengths are 2^128 (two to the power of 128) and 2^40. In other words, 128-bits is not three times the protection of 40-bits, but more like 3 followed by 26 zeros worth of protection. As a quick reminder, I'd like to point out that a trillion only has 12 trailing zeros…that's a lot of protection.]

Other Things To Consider When Looking For That “Best Encryption Software” - Passwords

Once you’ve sifted through different encryption products, it’s time to look at other details. The third factor that is extremely important in encryption is your password. A password is necessary because, well, you want to have to access to your own data, right? But, if your password is easy to guess, then the strongest encryption software in the world won’t protect your data.

Any encryption software that is worth its mettle will allow you to control what type of password is allowed. For example, you know a long, alphanumeric password (TheBestPasswordInTheWorld42222*22221) is better than a string of letters (mypassword). So, you may want the software to disallow passwords that are less than six characters in length and force users to add at least one number. Other password creation restrictions include:

Preventing the use of palindromes

The username being used as a password

Forcing users to change passwords on a scheduled period

Locking out users if the wrong password is entered more than X number of times

Not all of the above are recommended, depending on who you talk to. Different strokes for different folks, I say. At least, their availability is nice if you end up needing them.

Add-Ons That Make Data Security Management Easier

Of course, encryption is not the end all, be all of data security. Anybody who makes that claim either doesn't understand data security issues or is trying to sell you something (or both). Vendors of data security products may offer other “amenities” to increase your organization’s data security. Controlling the endusers' password criteria is an aspect of such a feature.

Pulte Homes, one of the largest home building companies in the US, has announced that a backup tape containing the information of 16,000 customers was stolen about a month ago. Letters were sent to customers on December 19, and it's been picked up by the media on Christmas. The use of file encryption software like AlertBoot would have certainly helped to protect these customers. The question is, was it used in this particular instance?

Since there is no mention of it anywhere, I tend to gravitate towards "no." Plus, combine it with all the warnings and recommendations that Pulte did make, and the scale tips even further towards "no." For example, Pulte supposedly advised customers to close credit card and other financial accounts, and to get new PINs and passwords, in addition to offering one free year of credit monitoring.

Going back to the case, a box of backup tapes was stolen on November 13. While the theft was noticed immediately, the police advised the company hold back on an immediate public disclosure. The home builder took the time to identify customers who would have to be notified-- once the police deemed a safe amount of time had passed, I guess.

Why would police recommend such a thing? I'd suppose one of the reasons would be not to alert the thieves about the treasure trove they have on their hands, assuming these thieves stole the tapes not knowing what they were. No sense in letting these thieves know, right?

However, that kind of reasoning normally tends to work on devices that have a value in their own right. For example, imagine an instance where a laptop computer that also serves as a data server for an internet-based startup company is stolen: a thief may have stolen the laptop because it's a laptop, not necessarily because it houses the credit card numbers of 10,000 customers. This is not to say that the thief wouldn't attempt to check what's on the computer (and a further reason for using hard disk encryption to protect the contents), but at least there's a likely explanation for the theft other than the data.

But it would be different for a box full of tapes. I mean, you find a box of VHS tapes that, based on the label, look like home videos. They would have no resale value. Do you steal them? Most thieves wouldn't unless a) they have nothing better to do or b) they think there may be some kind of value in those tapes if they go through them. A form of criminal value like, say, finding some way to perpetrate blackmail (are these sex tapes?)

Now substitute those VHS tapes with computer backup tapes. Does the situation change at all? I'd say no; those tapes are still worthless unless one thinks there may be something useful in there. In other words, those tapes were most probably stolen specifically because they happen to be backup tapes. This would be even more true if some other item of value happened to be next to the box of tapes (no mention of that, though). So, it seems to me that the police department's suggestion was ill-advised in this case. The construction company's customers ought to have been alerted ASAP…which turns out to be one month: it took Pulte about a month to figure out who could potentially be affected. (Conscientious people might make multiple backups, but I've never heard of backing up backups, so I can understand why it took so long.)

Data security is not hard, but it is hard to achieve. I'm not sure how this box of tapes got stolen (did someone break in to a storage room? Was it lying on the ground right outside of the storage room? Was it in someone's convertible parked at the airport?), but, obviously, having someone around to keep an eye on things all the time would have prevented this breach.

An alternate option, and in some ways a better option, is probably the use of protection that travels with the data. The use of backup tape encryption software would have prevented Pulte Homes's words to ring a little less hollow: "We definitely pride ourselves in having a safe environment for our customers."